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Abstract. Pseudo- Random Bit Generation (PRBG) is required in many 
aspects of cryptography as well as in other applications of modern secu- 
rity engineering. In this work, PRBG based on 2D symmetrical chaotic 
mappings of logistic type is considered. The sequences generated with a 
chaotic PRBG of this type, are statistically tested and the computational 
effectiveness of the generators is estimated. Considering this PRBG valid 
for cryptography, the size of the available key space is also calculated. 
Different cryptographic applications can be suitable to this PRBG, being 
a stream cipher probably the most immediate of them. 
Key Words: Pseudorandom Bit Generation, Chaotic Cryptography, Se- 
curity Engineering 



1 Introduction 

Many aspects of cryptography and modern security engineering depend upon 
the generation of pseudo-random numbers. Examples are the use of nonces in 
authentication protocols, salts in certain signature schemes, generation of keys 
or the keystreams of stream cyphers [1] , [2] . The requirements of randomness in 
these generators vary according to their application. For example, the generation 
of master keys normally requires high quality or entropy [10]. But in the case 
of nonces, uniqueness can be the main requirement for some protocols [1]. 

Pseudo-Random Bit Generators (PRBG) are implemented by deterministic 
numeric algorithms and they should pass several statistical tests [2] , [3] , to prove 
themselves useful. These tests can be set up to different levels of requirements 
of randomness depending on the future application of the PRBG. The security 
of the entire cryptographic protocol or system, relies on the randomness quality 
of the generator [10]. 

Over the last two decades, several works have implemented PRBG based on 
chaotic systems (a complete survey can be found in [4]). Chaotic systems have 
the property of beeing deterministic in the microscopic space and behave ran- 
domly, when observed in a coarse-grained state-space. The sensitivity of chaotic 
maps to initial conditions make them optimum candidates to relate minimal 



critical information about the input, in the output sequence. Their iterative na- 
ture makes them fast computable and able to produce binary sequences with 
extremely long cycle lengths. 

In 2006 Madhekar Suneel proposes in [5] , a method for pseudo-random binary 
sequence generation based on the two-dimensional Henon map. The author also 
indicates that the choice of the Henon map is rather arbitrary and that similar 
results should also be attainable with other 2D maps. 

This paper explore precisely this possibility, and presents a finite automata 
scheme as the key to achieve that. This comprehensive scheme is then applied 
to two particular 2D dynamical systems presented in [6], which are formed by 
two symmetrically coupled logistic maps. The pseudo-random properties of the 
generators obtained that way, are investigated. 

The chaotic PRBG algorithm described in this paper can be used in different 
ways. One of its applications, and maybe the most immediate, could be the 
construction of practical stream ciphers. In this way, the chaotic PRBG can 
expand a short key into a long keystream, which directly exclusive-or'ed with 
the clear text or message, gives the ciphertcxt. The evaluation of the potential 
size of the key space and the computational cost of the algorithm makes it worth 
to be considered. 

The paper is structured as follows: Section 2 introduces chaotic PRBG. Sec- 
tion 3 describes statistical testing of random sequences. Section 4 obtains a 
PRBG based on a 2D symmetrical chaotic map of logistic type. In Section 5 
several binary sequences are obtained and tested. The computational cost of the 
PRBG algorithm and the size of the key space for cryptographic applications 
are evaluated in Section 6. Section 7 remarks the final conclusions and discusses 
further work to be done. 

2 Chaotic Random Bit Generation 

The inherent properties of chaos, such as ergodicity and sensitivity to initial con- 
ditions and control parameters, connect it directly with cryptography character- 
istics of confusion and diffusion [7] . Additionally chaotic dynamical systems have 
the advantage of providing simple computable deterministic pseudo-randomness. 

As a consequence of these observations, several works were presented since 
1990s implementing PRBG based on different chaotic systems [5], [9], [10], 
[11], [12]. In some way, it could be said that chaos has brought into being a 
novel branch for PRNG in cryptography, called chaotic PRNG. 

An N-dimensional deterministic discrete-time dynamical system is an itera- 
tive map / : SR^ ^ 3?^ of the form: 

Xk+i = f{Xk) (1) 

where fc = 0, 1 . . . n. is the discrete time and Xo,Xi. . . X„, are the states of 
the system at different instants of time. 

In these systems, the evolution is perfectly determined by the mapping / : 
3?^ 3?^ and the initial condition Xq. Starting from Xq, the initial state, the 



repeated iteration of (1) gives rise to a fully deterministic series of states known 
as an orbit. 

To build a chaotic PRBG is necessary to construct a numerical algorithm 
that transforms the states under chaotic behaviour of the system into binary 
numbers. The existing designs of chaotic PRNGs use different techniques to 
pass from the continuum to the binary world [4] . The most important are: 

1. Extracting one or more bits from each chaotic state along chaotic orbits [9]. 

2. Dividing the phase space into m sub-spaces (defined through A'^ = log2{m) 
threshold values), and output a binary number i = 0,l,,m — lif the chaotic 
orbit visits the ith subspacc [5], [10]. 

3. Combining the outputs of two or more chaotic systems to generate the 
pseudo-random numbers [11], [12]. 

Discrete or digital chaos implemented on computers with finite precision is 
normally called "pseudo chaos" . In pseudo chaos dynamical degradation of the 
chaotic properties of the system may appear, as throughout iterations pseudo 
orbits may depart from the real ones in many different and uncontrolled manners 
[8]. Even so, the above exposed techniques are capable of generating sequences 
of bits or binary numbers, which appear random-like from many aspects. 

One may also consider that using high dimensional chaotic systems could offer 
additional advantages. While less known, these systems whirl many variables at 
any calculation and the periodic patterns produced by the finite precision of the 
computer are more difficult to appear than in the low dimensional cases. 

In this paper the technique of dividing the phase space is followed and applied 
on two symmetrical two-dimensional (2D) chaotic maps of logistic type. 

3 Statistical Tests Suites 

In general, randomness cannot be mathematically proved. Alternatively, differ- 
ent statistical batteries of tests arc used. Each of these tests evaluates a relevant 
random property expected in a true random generator. To test a certain random- 
ness property, several output sequences of the generator under test are taken. 
As one knows a priori the statistical distribution of possible values that true 
random sequences would be likely to exhibit, a conclusion can be obtained upon 
the probability of the tested sequences to be random. 

Mathematically this is done as follows [3]. For each test, a statistic variable X 
is specified along with its correspondent theoretical random distribution function 
f{x). For non-random sequences, the statistic can be expected to take on larger 
values, typically far-out in the tails of f{x). A critical value is defined for the 
theoretical distribution so that P{X > Xa) = ol, that is called the significance 
level of the test. In the same way, theoretically other distribution functions and 
a (3 value could be defined to assess non-random properties. But in practice, it 
is impossible to calculate all the distributions that describe non-randomness, for 
there are an infinite number of ways that a data stream can be non-random. 



When a test is applied, the test statistic value Xg is computed on the sequence 
being tested. This test statistic value Xs is compared to the critical value Xa- If 
the test statistic value exceeds the critical value, the hypothesis for randomness 
is rejected. The rejection is done with a (100 * a)% probability of having FALSE 
POSITIVE error (this is called a TYPE I error, whore the sequence was random 
and is rejected). Otherwise is not rejected (i.e., the hypothesis is accepted) with 
a probability of (100*^)% of error (this is called TYPE 11 error or FALSE NEG- 
ATIVE, the sequence was non-random and is accepted). In consequence passing 
the test merely provides a probabilistic evidence that the generator produces 
sequences which have certain characteristics of random sequences. 

For a given application, the value of a must be selected appropriately. This 
is because if a is too high TYPE I errors may frequently occur (respectively 
if a is too low the same will happen for TYPE II errors). For cryptographic 
applications typical values of a are selected between the interval Q!e[0.001, 0.01], 
which is also referred as a confidence level in the interval [99.9%, 99%] for the 
test. Unlike a, (3 is not fixed, for it depends on the non-randomness defects of the 
generator. Nevertheless a, (3 and the size of the tested sequence (n) are related . 
Then for a given statistic, a critical value and a minimum n should be selected 
to minimize the probability of a TYPE II error (/3). 

There exist different well-known sources of test suites available in the In- 
ternet. In the present work, Marsaglia's Diehard test suite (in [13]) and NIST 
Statistical Test Suite (in [3]) were selected, for they are very accessible and 
widely used. Table 1 lists the tests comprised in these suites. In both suites, the 



Number 


Diehard test suite 


NIST test suite 


1 


Birthday spacings 


Frequency (monobit) 


2 


Overlapping 5-permutation 


Frequency test within a block 


3 


Binaxy rank test 


Cumulative sums 


4 


Bitstream 


Runs 


5 


OPSO 


Longest run of ones in a block 


6 


OQSO 


Binary matrix rank 


7 


DNS 


Discrete fouricr transform 


8 


Count-the-l's test 


Non-overlapping template matching 


9 


A parking lot 


Overlapping template matching 


10 


Minimum distance 


Maurer's universal statistical 


11 


3D-spheres 


Approximate entropy 


12 


Squeeze 


Random excursions 


13 


Overlapping sums 


Random excursions variant 


14 


Runs 


Serial 


15 


Craps 


Linear complexity 



Table 1. List of tests comprised in the Diehard and NIST test suites. 



test statistic value Xg obtained in each test is used to calculate a p-value that 
summaries the strength of evidence against the randomness of the tested PRBG. 



4 Pseudo-Random Bit Generation based on 
two-dimensional chaotic maps of logistic type 

In [6], Lopez- Ruiz and Perez-Garcia analyze a family of three chaotic systems 
obtained by coupling two logistic maps. The focus here will be made on models 
(a) and (b), which will be called systems A and B: 



SYSTEM A : 

Ta : [0, 1] X [0, 1] [0, 1] X [0, 1] 

x„+i = A(3j/„ + l)a;„(l - Xn) 
Vn+l = A(3.T„ + l)y„(l - Un) 



SYSTEM B : 

Tb : [0, 1] X [0, 1] [0, 1] X [0, 1] 

(2) 

Xn+i = A(3a;„ + 1)?/„(1 - y„) 

Un+l = A(3y„ + 1)X„(1 - Xn) 



Amazingly, these systems show the following symmetry TA{x,y) = TB{y,x), 
which implies that T^{x,y) = Tg{x,y). From a geometrical point of view, both 
present the same chaotic attractor in the interval A G [1.032, 1.0843]. The dy- 
namics in this regime is particularly interlaced around the saddle point PA, that 
plays an important role for our proposes: 




P4 = [P4„ PAy], where PA, = PAy = - { 1 + J 4 ~ - ] . (3) 



To obtain the Symmetric Coupled Logistic Map PRBG, the algorithm pre- 
sented in [5] is applied on System A. Its functional block structure is represented 
in Fig.l and it is explained in the following paragraphs. 



Logistic Bimap (System A) Sub-space decision Binary Mixing 




Fig. 1. Functional block structure of the proposed algorithm in [5] for System A. 



In this case, the technique of dividing the phase space in four sub-spaces 
is used. This is done in the block named as Sub-space decision in which the 
threshold values, and Ty, are employed to convert the suite into a binary 
sequence, by means of the following equations: 

rO if X < r 6. = (? !! ^ - (4) 

A purely statistical procedure is proposed in [5] to obtain (or Ty) as the 
median of a large T set of x (or y) values. Tx and Ty arc chosen after the first 
T = 1000 iterations of the system. After obtaining Sx = {^^liSi and Sy = 
{6^}^^, they are sampled with a frequency of 1/P (each P iterations) and = 
{bx*^}iZi and By = {6^*'}^^ are obtained. The effect of skipping P consecutive 
values of the orbit is necessary to get a random macroscopic behaviour. With 
this operation, the correlation existing between consecutive values generated by 
the chaotic system is eliminated, in a way such that over a Pmim sequences 
generated with P > Pmin will appear macroscopically random. Although P is 
normally introduced as an additional key parameter in pseudo-random sequences 
generation [14], it strongly determines the speed of the generation algorithm, 
so it is recommended to be kept as small as possible. 

The output binary pseudorandom sequence 0(j) is obtained by a mixing 
operation of the actual and previous values of the sequence B{j) = [Bx{j), By{j)] 
given by the truth table sketched in Table 2. 





By{j - 1) 


By{j-2) 





1 







Not(B4i)) 


1 


By{j) 


Not(i3^(j)) 



Table 2. Truth table generating the binary sequence. 



Unfortunately the sequences so formed do not pass the minimum require- 
ments of randomness assessed by Diehard test suite. At this point, it is noticed 
that, to obtain good results, the geometrical characteristics of the system must 
be taken into account. More precisely, it is found out that the division of the 
phase space in four sub-spaces must be defined, in a way that the system visits 
each sub-space according to a particular finite state automata. This automata 
is inferred from the Henon map behaviour in [5] and it has a particular pattern 
of visits of the four sub-spaces. For Systems A and B, this finite automata is 
depicted in Fig. 2(a) and 2(c). 

Let us name the sub-spaces corresponding to [6^, hy] with values [0, 0], [1,0], 
[0,1] and [1,1] as 1,2,3 and 4. Although the four sub-spaces arc not visited 
equally, there exists a symmetry of movements between sub-spaces 1-3 and 2-4, 
which has a characteristic mixing of 50% and 50%, as long as a predominant 




(c) (d) 

Fig. 2. (a) Finite automata and (b) final sub-space division for System A. (c) Finite 
automata and (d) final sub-space division for System B. (In both cases, A = 1.07). 



(80%) and constant transition between 3 and 2. This leads to a highly variation 
of binary values in sequences Sx, Sy. In the end, these conditions give the final 
result of an output sequence 0(j) with a proper balance of zeros and ones, or 
put it in another way, with pseudo-random properties. 

To get this automata for the symmetric coupled logistic maps Systems A 
and B, one should chose the diagonal axis, which divides phase space in two 
parts, each of which is equally visited (50%). And additional statistical calculus 
is required to divide these two sub-spaces, in another two with a visiting rate of 
40%-10% each one. When this is done, one can observe that this is got by merely 
selecting P4 and the line perpendicular to the axis in P4 as the other division 
line. The final sub-space division for each system is presented in Fig. 2(b) and 
2(d), along with the indications of the evolution of the visits to each sub-space. 

Finally the initial algorithm in Fig. 1 applied to System A, is modified with 
the appropriate sub-space decision block. The final PRBG functional scheme is 
represented in Fig. 3. 

As a direct application to cryptography, the PRBG could be used for the 
construction of a stream cipher. Different initial conditions, Xq and j/o and pa- 
rameters A and P, can be applied to the input of the system and be used as a 
key to generate the keystream, or output sequence 0{j). The keystream 0{j) 
can be XORed directly with a clear text obtaining that way the ciphertext. 



Logistic Bimap (System A) Sub-space decision Binary IVIixing 




Fig. 3. Functional block structure of the PRBG applied to the symmetric coupled 
logistic map PRBG with System A. 

Different sequences are obtained with the system of Fig. 3 in next section. 
Their randomness is assessed and demonstrates them statisticahy vaUd for cryp- 
tographic applications. This may indicate that the automata scheme presented in 
Fig. 2(a) and 2(c) represents a sufficient condition to obtain pseudo-randomness. 
Consequently, it can represent a systematic scheme to extend the algorithm in 
[5] to get PRBG on other chaotic maps. 

5 Pseudo-Random Sequences Statistical testing 

To assess the randomness of the PRBG obtained in the previous section with 
systems A and B, several sequences are obtained and submitted to the Diehard 
[13] and NIST [3] test suites described in section 3. Similar results were found 
for both systems and for simplicity, only those obtained with system A will be 
presented here after. Ten sequences were generated with six different sets of 
initial conditions. Their characteristics are described in Table 3. 



Sequence 


SI 


S2 


S3 


S4 


S5 


S6 




0.989125 


0.491335 


0.672757 


0.726874 


0.39565 


0.999851 


yo 


0.689125 


0.691335 


0.497757 


0.901874 


0.49565 


0.649851 


A 


1.04869 


1.05392 


1.06961 


1.08007 


1.06438 


1.07489 


PDmin 


55 


45 


35 


47 


n.a. 


n.a. 


PNmin 


83 


105 


83 


83 


100 


85 



Table 3. Parameters PDmin and PNmin for different sequences Si, i — 1,..,6, with 
different initial conditions (xojyo) and map parameter A. 



Six of them (S1,S2,S3,S4,S5 and S6) were tested with Nist tests suite with 
200 Mill, of bits and four of them (S1,S2,S3 and S4) were tested with Diehard 
tests suite with 80 Mill, of bits. Here, the parameters Pomm and PNmin are the 
minimum sampling rate or shift factor, Pmin, over which, all sequences generated 
with the same initial conditions and P > P„iin pass Diehard or Nist tests suites, 
respectively. It is observed here, that the Nist tests suite requires a higher value 
of Pmin and that S5 and S6 were not tested with Diehard battery of tests. 

In the Diehard tests suite, each of them returns one or several p- values which 
should be uniform in the interval [0,1) when the input sequence contains truly 
independent random bits. The significance level of the tests was set properly for 
cryptographic applications {a = 0.01). The software available in [13] provide a 
total of 218 p- values for 15 tests, and the uniformity requirement can be assessed 
graphically plotting them in the interval [0,1). 
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(b) 



Fig. 4. (a) Diehard test suite p-values obtained with all tests for initial conditions SI 
with P = Pomin = 55. (b) p-values obtained for initial conditions Sl(»),S2(o),S3(*) 
and S4(x) with P = Pomin value in Table 3. 



Fig. 4(a) shows the uniformity distribution of the p-values over the interval 
[0,1) obtained for a sequence with initial conditions SI and Pomm = 55. Se- 
quences with initial values SI to S4 where proved to pass the Diehard battery 
of tests. Fig. 4(b) presents a graphical representation of the p-values obtained 
for each sequence with sampling factor P = PDmin value in Table 3. It can be 
observed that some p- values are occasionally near or 1. Although it can not 
be well appreciated in the figure, it has to be said that those never really reach 
these values. 

In the Nist tests suite [3], one or more p- values are also returned for each 
sequence under test. The significance level of the tests was set to a = 0.01, as 
in the Diehard case. These tests require a sufficiently high length of sequences 
and to prove randomness in one test, two conditions should be verified. First, a 
minimum percentage of sequences should pass the test and second, the p-values 
of all sequences should also be uniformly distributed in the interval (0, 1). 



For this case, each of the six sequences with initial conditions SI to S6 are 
arranged in 200 sub-sequences of IMill. bits each and submitted to tlic; Nist 
battery of tests. Sequences S proved to pass all tests over a minimum value of 
PNmin, shown in Table 3. 



Uniformity of p-values for S4 




Test number 



(a) (b) 

Fig. 5. In (a), the proportion of sub-sequences SI that passes each test is displayed. In 

(b) The distribution of p-valuos of S4 is examined for each test to ensure uniformity. 
The interval between and 1 is divided in ten sub-intervals (CI, C2, CIO), and the 
p-values that lie within each subinterval are counted and plotted. 

In Fig. 5(a) and 5(b), the results obtained for 5*1 and S4 respectively are 
graphically presented, as an example of what was obtained for each S. The 
tests in the suite are numbered according to Table 1. Fig. 5(a) represents the 
percentage of the 200 sub-sequences of SI, that pass each of the 15 tests of the 
suite. These percentages are over the minimum pass rate required of 96.8893% for 
a sample size = 200 binary sub-sequences. Fig. 5(b) describes the uniformity of 
the distribution of p-values obtained for the 15 tests of the suite. Here, uniformity 
is assessed. The interval (0,1) is divided in ten subintervals (CI, C2, CIO) and 
the number of p-values that lay in each sub-interval, among a total of 200, are 
counted and proved to be uniform. 

6 Key space size and computational cost 

To establish the complexity, and consequently the speed of the PRBG described 
in Fig. 3, the principle of invariance is observed. This says that the efficiency of 
one algorithm in different execution environments differs only in a multiplicative 
constant, when the values of the parameters of cost are sufficiently high. 

In this sense, the asymptotic behaviour of the computational cost of the 
PRBG is governed by the calculus performed in the chaotic block. This block 
performs P iterations to obtain an output bit, 0{j). 



The capital theta notation (O) can be used to describe an asymptotic tight 
bound for the magnitude of cost of the PRBG. And consequently, the 2D sym- 
metric coupled logistic maps have a computational cost or complexity of order 

0{P*n). 

When considered for cryptographic applications, the key space is determined 
by the interval of the parameter A and the initial conditions that keep the dynam- 
ical system in the chaotic regime. These are A <E [1.032, 1.0843] , xq G (0, 1) and 
2/0 G (0,1). The sampling parameter can also be considered as another parameter 
of the key space. One must observe that P should be kept in a suitable range, 
so that the PRBG is fast enough for its desired application. These intervals can 
be denoted with brackets and calculated as [A] = 0.0523, [xq] ~ 1, [yo] = 1 and 
[P] = 4890, when taking [P] e [110, 6000] as the range of the sampling factor. 

Let us consider £32 ~ 1.1921 x 10~^ as the smallest available precision for 
fixed-point representation with 32 bits and its correspondent magnitude ee4 ~ 
2.2204 X 10~^® for floating-point numbers with 64 bits. These quantities give us 
the maximum number of possible values of every parameter in any of the two 
representations. This is easily computed dividing the intervals by e, as K\ = 
[A]/g, = [xo]/e, Ky„ = [2/0] /e and Kp = [P]/e- The total size of representable 
parameter values is given by K, calculated as K = Kx x K^f^ x Ky^ xKp. K is the 
size of the available key-space and its logarithm in base 2 gives us the available 
length of binary keys to produce pseudo-random sequences in the generator. 

The values obtained for each number precision, are K32 = 1-53 x 10^° with a 
key length of 100 bits for single precision and Ke4 = 1.27 x 10^^, with a key length 
of 216 bits for double precision. These results are encouraging for recommending 
the use of the PRBG in Fig. 3 for cryptographic applications, where a length of 
keys greater than 100 is considered strong enough against brute force attacks, 
[7]. 

7 Conclusions 

In the present work, a refinement of the algorithm exposed in [5] by M. Suneel is 
presented. It consists of the introduction of a finite automata that makes possible 
its application to other chaotic maps. In some way, this finite automata could 
be said to extend the range of application of this algorithm for other 2D chaotic 
systems. This is referred in [4] as making the PRBG chaotic-system- free. 

The fact is that, while systematic, the scheme presented in this paper is not 
straight-forward. This is because building the finite automata requires necessar- 
ily a detailed study of the geometrical properties of the dynamical evolution of 
the chaotic system. 

The authors apply this technique to build two new PRBG using two particu- 
lar 2D dynamical systems formed by two symmetrically coupled logistic maps. A 
set of different pseudo-random sequences arc generated with one of the PRBG. 
Statistical testing of these sequences shows fine results of random properties for 
the PRBG. 



The estimation of the PRBG computational cost has an asymptotic tight 
bound of 0{P * n). The available size of the key space is also calculated and a 
minimum length of binary keys of 100 and 216 bits is obtained for simple and 
double precision respectively. These preliminary results indicate a promising 
quality of the PRBG for cryptographic applications. 

Consequently, the chaotic PRBG algorithm could be of use for different ap- 
plications in security engineering. A direct application in cryptography could be 
the construction of a stream cipher. This can be easily obtained when the out- 
put sequences 0{j) in Fig. 3 are used as a keystream. Then, this can be directly 
XORed with a clear text obtaining that way the ciphertext. 

For future work, the authors plan to consider the geometrical properties of 
the logistic bi-mappings to enhance the performance of the presented PRBG. 
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